From c00c013f19ab6d4df025adc793e5a23ff7d8ed42 Mon Sep 17 00:00:00 2001 From: Tommaso Fonda Date: Tue, 21 Nov 2023 15:58:46 +0100 Subject: [PATCH] sm6225-common: amplifier: Add amplifier usecase to head of usecase list When a call is received, if the ringtone is played through the speaker, the audio HAL will freeze and restart when the call is answered, leading to a few seconds of silence at the beginning of the call. This happens because of a NULL pointer dereference, which is in turn caused by a UAF in the check_usecases_codec_backend() function, in the audio HAL. The UAF occurs because the amplifier HAL appends its usecase at the wrong end of the usecases list - tail instead of head. When the second list_for_each() loop in the aforementioned function iterates through the list, it first finds the regular low-latency-playback usecase, and calls disable_snd_device() for the speaker output device. This causes the amplifier HAL to execute aw882xx_stop_feedback(), which frees its usecase in the list, but the internal pointer of the list_for_each() macro already points to it, thus the following iteration effectively operates on a free'd object. To fix this issue, have the amplifier HAL append its usecase to the head of the list: this way, it will be iterated on before the low-latency-playback usecase, i.e. before it gets free'd. Change-Id: Ia8dcb11b3ed320836a6602798ff5c390e7afa9d2 --- audio_amplifier/audio_amplifier.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/audio_amplifier/audio_amplifier.c b/audio_amplifier/audio_amplifier.c index 8c40af2..197cba2 100644 --- a/audio_amplifier/audio_amplifier.c +++ b/audio_amplifier/audio_amplifier.c @@ -92,7 +92,7 @@ int aw882xx_start_feedback(void* adev, uint32_t snd_device) { aw_dev->usecase_tx->in_snd_device = SND_DEVICE_IN_CAPTURE_VI_FEEDBACK; list_init(&aw_dev->usecase_tx->device_list); - list_add_tail(&aw_dev->adev->usecase_list, &aw_dev->usecase_tx->list); + list_add_head(&aw_dev->adev->usecase_list, &aw_dev->usecase_tx->list); enable_snd_device(aw_dev->adev, aw_dev->usecase_tx->in_snd_device); enable_audio_route(aw_dev->adev, aw_dev->usecase_tx);